How to address the security issues with the exe generated by javapackager?

[yok10056]

Can he use ProGuard together with it? Currently, the generated exe is easily cracked by others, which is fatal for desktop applications.

[fvarrui]

hi @yok10056!

Yeah, good point!! I think you can set runnableJar option to point to your own obfuscated/minified JAR file. You also can bundle your own minified JRE using the jrePath option.

Maybe we can add a new feature to JavaPackager, so it automatically process JARS/MODS with ProGuard after generating those artifacts. It wouldn't be a bad idea.

I know there's an "official" ProGuardTask for Gradle and maybe we can use proguard-maven-plugin for Maven. This task could be done after generating the app and before generating installers/zipballs/tarballs.

[yok10056]

How is the usage of runnableJar?

[fvarrui]

You can build your own obfuscated JAR and set it in runnableJar property. See https://github.com/fvarrui/JavaPackager#plugin-configuration-properties and https://github.com/fvarrui/JavaPackager/blob/master/docs/maven/plugin-configuration-samples.md#bundle-your-own-fat-jar

[fvarrui]

This issue is related to #334

[fvarrui]

Hi @yok10056! Any news?

[workcheng]

You can refer to this demo. Although it is not perfect, it can achieve the effect of obfuscating the JAR package. It is hoped that javapackager can natively support obfuscation and encryption. https://gitee.com/12581/proguard-javapackager-gradle-demo